An anonymous reader writes "Steve Santorelli gets computing experts and law enforcers to cooperate in a global fight against organized Internet crime. This article talks about the role of law enforcement in identifying and battling online threats as they change and evolve. Quoting: 'The common wisdom about hacking and cybercrime is, in Santorelli's view, severely out of date. He says cybercriminals aren’t lone wolves; they are financed and directed by international criminal syndicates. ... Organized crime also has vast resources derived from its traditional operations to finance the hiring of quality hackers around the world. There is even evidence that some syndicates are investing in research and development, looking to create proprietary, next-generation hacking tools, Santorelli says.'"

RedEaredSlider writes "The Conficker worm is still a threat, even though it is more than two years old and nobody has used it in a botnet attack yet. The problem is that so many machines are infected (largely because many don't realize it) and it's such a flexible piece of malware."

Trailrunner7 writes "Spammers aren't the only ones who have figured out that social networks like Twitter and Facebook are good for business. Sophisticated hackers conducting targeted attacks are also using the networks as a tool to manage malware installations on victims' networks. Mandiant's latest "M-Trends" report, released on Thursday, says that the company has observed an increasing number of so-called "Advanced Persistent Threats" that are hijacking legitimate social networks and Web based services, including Facebook, Google Chat and MSN as command and control networks for malware installations. The revelation is part of a larger trend that saw sophisticated attacks on commercial entities outstrip attacks on the networks of government agencies and defense industry players, Mandiant reported."

alphadogg writes "A new report from Akamai Technologies (CT: Requires login) shows that hackers appear to be increasingly using the Telnet remote access protocol to attack corporate servers over mobile networks. The report, which covers the third quarter of 2010, shows that 10 percent of attacks that came from mobile networks are directed at Port 23, which Telnet uses. That marks a somewhat unusual spike for the aging protocol used to log into remote servers but that has been gradually replaced by SSH."

Trailrunner7 writes "The amount of spam hitting users' inboxes fell off a cliff in late December, with many security experts attributing the decline to the sudden disappearance of the Rustock botnet and other networks from the spam business. But the level of spam has begun to gain back some of the ground it lost today as other spammers have taken up the slack. Researchers say that after the sudden drop-off in spam volumes, things stayed fairly quiet for a time, but now it seems that other spammers have picked up where Rustock and the other spamming operations left off. The volume of spam took a big jump upward in the last 24 hours, according to researchers at Websense. The volume of spam hasn't made it all the way back to the levels of the last few months of 2010, but it seems to be on the way."

Batblue writes "A botnet fingered for stealing a treasure trove of information last year has struck again, harvesting sensitive documents from dozens of government agencies and contractors, according to a pair of security experts. The botnet, dubbed 'Kneber' by Alex Cox, principal research analyst at NetWitness, was behind a campaign of fake Christmas e-mails waged two weeks ago against government workers. NetWitness deals in advanced threat detection technologies, and conducts post mortem network forensics for firms that have been hit with attacks or data breaches."

CWmike writes "Microsoft confirmed on Tuesday an unpatched vulnerability in Windows just hours after a hacking toolkit published an exploit for the bug. A patch is under construction, but Microsoft does not plan to issue an emergency update to fix the flaw. The bug was first discussed Dec. 15 at a South Korean security conference, but got more attention Tuesday when the open-source Metasploit penetration tool posted an exploit module crafted by researcher Joshua Drake. Metasploit says successful attacks are capable of compromising victimized PCs, then introducing malware to the machines to pillage them for information or enlist them in a criminal botnet."

Trailrunner7 writes "A new spam campaign that appeared shortly before the New Year is part of a new effort by the crew behind the Storm/Waledac botnet and is using some rather elementary tactics — in combination with fast-flux — to attempt to compromise unsuspecting users. The new attack emerged late last week and is fronted by a fairly lame spam campaign that is sending millions of emails that appear to be holiday e-cards, one of the older and more threadbare techniques in this particular game. According to an analysis of the attack by the researchers at the Shadowserver Foundation, victims who click on the link in the email are directed to one of a number of compromised domains, which then redirect the user to another page that displays a message asking the user to download a fake Flash player. This, of course, installs a piece of malware on the victim's machine."

wiredmikey writes that researchers from Lookout Mobile have discovered a sophisticated Trojan targeting Android devices. "The company says the mobile malware is 'The most sophisticated Android malware we've seen to date. Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user's phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone.' What makes the Trojan different from most 'standard' mobile malware is that Geinimi is being 'grafted' onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets."

supernothing writes "DDoS attacks seem to be in vogue today, especially considering the skirmishes over WikiLeaks in the past few weeks. The size of a DDoS attacks, however, has historically been limited by how many computers one has managed to recruit into a botnet. These botnets almost universally require code to be executed on the participants' local systems, whether they are willing or unwilling. A new approach has been emerging recently, however, which uses some simple JavaScript to achieve similar ends. d0z.me is a new service that utilizes these techniques, but provides a unique twist on the idea. Posing as a legitimate URL shortening service, it serves users the requested pages in an iFrame, while simultaneously participating in a DDoS attack in the background. No interaction is required beyond clicking the link and staying on the page. This makes it relatively trivial to quickly mount large-scale DDoS attacks, and affords willing participants plausible deniability in the assault."

holy_calamity writes "Technology Review reports that researchers installed 3000 copies of Windows XP on a high performance cluster at a Canadian university and set loose the Waledac botnet on them. It's the first time researchers have built and operated their own botnet as a strategy to better understand those at large on the internet. Doing it inside an experimental computing cluster removes the legal and ethical complications of experimenting with live botnets that control innocent users' machines."

Orome1 writes "While individual acts of hacktivism are inconvenient, something else happens when hacktivists group together — they commonly perform a DDoS attack. Techniques have advanced to automate the process, making the attacks more powerful and thus more able to bypass security controls — the effect, however, remains the same. Let us take a look at the recent Operation Payback which has gained notoriety in the past few months."

alphadogg writes "As the distributed denial-of-service attacks spawned by this week's WikiLeaks events continue, network operators are discussing what progress, if any, has been made over the past decade to detect and thwart DoS attacks. Participants in the North American Network Operators Group (NANOG) e-mail reflector are debating whether any headway has been made heading off DDoS attacks in 10 years. The discussion is occurring while WikiLeaks deals with DDoS attacks after leaking sensitive government information, and sympathizers launch attacks against MasterCard, Visa, PayPal and other significant e-commerce sites."

Giovane Moura writes "For a number of days the websites of MasterCard, Visa, PayPal and others are attacked by a group of WikiLeaks supporters (hacktivists). Although the group calls itself 'Anonymous,' researchers at the DACS group of the University of Twente (UT), the Netherlands, discovered that these hacktivists are easy traceable (PDF), and therefore anything but anonymous. The LOIC (Low Orbit Ion Cannon) software, which is used by the hacktivists, was analyzed by UT researchers, who concluded that the attacks generated by this tool are relatively simple and unveil the identity of the attacker. If hacktivists use this tool directly from their own machines, instead of via anonymization networks such as Tor, the Internet address of the attacker is included in every Internet message being transmitted. In the tools no sophisticated techniques are used, such as IP-spoofing, in which the source address of others is used, or reflected attacks, in which attacks go via third party systems.

A number of readers are sending in links related to Anonymous, the Internet phenomenon — don't call them a group — behind the controversial DDoS attacks on commercial entities that fail to support WikiLeaks. The best insight into Anonymous comes from the Economist's Babbage blogger, who hung out in one of their IRC channels. Reader nk497 points out that UK users looking to join Anonymous's DDoS army should be aware they could face a jail term of up to two years; simply downloading the LOIC software used in the DDoSing could suffice to earn a conviction. One 16-year-old has been arrested in The Netherlands and is charged with participating in the DDoS. Reader ancientribe sends in coverage of a claim by one security outfit that several existing criminal botnets have joined forces with Anonymous's Operation: Payback. And reader Stoobalou notes a Thinq.co.uk story on a manifesto of sorts that purports to come from "ANON OPS," even though Anonymous disclaims any central spokesperson or entity (press release here, PDF).

An anonymous reader writes "MasterCard's website has been hit by a distributed denial of service attack. Netcraft describes how the attack uses a voluntary botnet of LOIC (low orbit ion cannon) users to swamp sites with traffic. PostFinance, the PayPal blog and Swedish prosecutors have been targeted previously."

Trailrunner7 writes "Researchers are tracking a new botnet that has become one of the more active DDoS networks on the Internet since its emergence early last month. The botnet, dubbed 'Darkness,' is being controlled by several domains hosted in Russia and its operators are boasting that it can take down large sites with as few as 1,000 bots. The Darkness botnet is seen as something of a successor to the older Black Energy and Illusion botnets and researchers at the Shadowserver Foundation took a look at the network's operation and found that it is capable of generating large volumes of attack traffic. 'Upon testing, it was observed that the throughput of the attack traffic directed simultaneously at multiple sites was quite impressive,' Shadowserver's analysts wrote in a report on the Darkness botnet. 'It now appears that "Darkness" is overtaking Black Energy as the DDoS bot of choice. There are many ads and offers for DDoS services using "Darkness." It is regularly updated and improved and of this writing is up to version 7. There also appear to be no shortage of buyers looking to add "Darkness" to their botnet arsenal.'"

DaveNJ1987 writes "The FBI believes that one third of the world's spam messages are being generated by one 23-year-old Russian man. Oleg Nikolaenko of Moscow is being blamed for operating the Mega D botnet that sent spam emails from over 500,000 infected computers."

c0lo writes "In a sudden outburst of common sense, the Australian senate decided that it is not the government's responsibility to force ISPs to disconnect infected computers from the Internet. Peter Coroneos, chief of the Internet Industry Association, used a car analogy that actually makes sense: 'It would be like forcing car manufacturers to take responsibility for bad drivers.'"

itwbennett writes "Thirty-three-year old Scottsman Matthew Anderson was sentenced this week to 18 months in prison for orchestrating a malicious Trojan campaign in 2006. The reason for his relatively light sentence? He apparently wasn't seeking to maximize profit like any normal, red-blooded hacker. Also, his timing was good. His arrest in June 2006 predated by a matter of months the Police and Justice Act, which would likely have resulted in a harsher sentence. By comparison, David Kernell, who snooped in Sarah Palin's email, got a year in prison."